ANSPDCP (Romania) - Alpha Bank România SA

From GDPRhub
Revision as of 20:23, 6 September 2022 by Dana.duta (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Alpha Bank România SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 29 GDPR
Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 29.08.2022
Fine: 1,000 EUR
Parties: Alpha Bank România SA
National Case Number/Name: Alpha Bank România SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Daniela Duta

The Romanian DPA fined Alpha Bank România SA €1000 for sending a document to another recipient, by mistake, through the Whatsapp application.

English Summary

Facts

The investigation was started as a result of a data breach notification that was sent by Alpha Bank Romania SA, based on the provisions of the Article 33 GDPR. This incident affected 4 data subjects and led unauthorized disclosure or unauthorized access to certain personal data, such as: name and surname, personal identification number, position and signature, type of credit, number and date of signing the contract, credit period and the date of the last due date.

Holding

The Romanian DPA fined the controller €1000 for violating Article 29 GDPR, Article 32(1)(b) GDPR, Article 32(2) GDPR, Article 32(4) GDPR for not implemented adequate technical and organizational measures to ensure a level of confidentiality and security appropriate to the risk of processing and did not take sufficient measures to ensure that any natural person acting under the authority of the operator and who has access to personal data does not process only at his request. In addition, the DPA ordered the controller to: 1. implementing and transmitting to the responsible persons instructions regarding the prohibition of the use of employees' personal equipment in customer relations (e.g. mobile phone) for communication applications/online chat services not authorized by the Bank; 2. the adoption of measures regarding the training of persons acting under the operator's authority, including regarding the risks and consequences involved in the disclosure of personal data.

Comment

The Romanian DPA publishes only the press releases, therefore no more information was available on the decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

In July 2022, the National Supervisory Authority completed an investigation at the operator Alpha Bank România SA and found a violation of the provisions of art. 29 and art. 32 para. (1) lit. b), paragraph (2) and para. (4) of the General Data Protection Regulation.

As such, the operator was penalized for contravention with a fine of 4,935.10 lei (equivalent to 1000 EURO).

The investigation was started as a result of a data security breach notification that was sent by Alpha Bank Romania SA, based on the provisions of art. 33 of the General Data Protection Regulation.

Thus, according to what is mentioned in the notification form, the violation of the security of data processing occurred as a result of the fact that a document was sent to another recipient, by mistake, by using the Whatsapp application.

During the investigation it turned out that this violation led to the unauthorized disclosure or unauthorized access to certain personal data, such as: name and surname, CNP, position and signature, type of credit, number and date of signing the contract, period of credit and the date of the last due date, being affected by the incident a number of 4 natural persons concerned.

The National Supervisory Authority found that Alpha Bank Romania SA did not implement adequate technical and organizational measures to ensure a level of confidentiality and security corresponding to the processing risk and did not take sufficient measures to ensure that any natural person acting under the authority of the operator and who has access to personal data only processes them at his request.

At the same time, under art. 58 para. (2) lit. d) from the General Regulation on Data Protection, the following corrective measures were ordered against the operator:

reviewing and updating the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including work procedures related to the protection of personal data, by implementing and transmitting to the responsible persons some instructions regarding the prohibition of the use of personal equipment of employees in customer relations (eg mobile phone) for communication applications/online chat services not authorized by the Bank;
the adoption of measures regarding the training of persons acting under the operator's authority, including regarding the risks and consequences involved in the disclosure of personal data.
Legal and Communication Department